Phishing in the Time of COVID-19: How to Recognize Malicious Coronavirus Phishing Scams

Update 3-26-20: A new prevalent example of Android Spyware that leverages COVID-19 as a way to deliver their malicious product has been reported by researchers at Lookout. This particular malware, called "corona live 1.1.", comes out of Libya and seems to mostly be targeting Libyan citizens. Like other examples listed below, it uses the same COVID-19 dashboard developed by Johns Hopkins University.

For malicious people, preying on collective fear and misinformation is nothing new. Mentioning national headlines can lend a veneer of credibility to scams. We've seen this tactic time and again, so it's no surprise that COVID-19 themed social media and email campaigns have been popping up online. This blogpost provides an overview to help you fight against phishing attacks and malware, examples of phishing messages we’ve seen in the wild related to coronavirus and COVID-19, and specific scenarios to look out for (such as if you work in a hospital, are examining maps of the spread of the virus, or are using your phone to stay informed).

Avoiding phishing attacks

The COVID-19 themed scam messages are examples of "phishing," or when an attacker sends a message, email, or link that looks innocent, but is actually malicious and designed to prey on fears about the virus. Phishing often involves impersonating someone you know or impersonating a platform that you trust. Your day-to-day diligence is the best preventative measure. Consider these points before you click: Is it an enticing offer? Is there a sense of urgency? Have you interacted with the sender before over this platform?

If an email sounds too good to be true (“New COVID-19 prevention and treatment information! Attachment contains instructions from the U.S. Department of Health on how to get the vaccine for FREE”), it probably is. And if an email demands urgent action from you (“URGENT: COVID-19 ventilators and patient test delivery blocked. Please accept order hereto continue with shipment.”), take a moment to slow down and make sure it’s legitimate. Keep in mind that legitimate sources of health information likely won’t use unsolicited email or text messages to make announcements. Some examples of phishing emails — ones that we’ve received and you might similarly encounter — are included at the bottom of this post.

In the above email, note that the domain sending this “Gates Foundation” email includes a subtle typo. Phishing emails such as this one expect readers to only see the display name, without the email address beside it. Be vigilant to see the email address that the message is originating from.

Some common-sense measures to take include:

Check the sender's email address. Are they who they claim to be? Check that their contact name matches the actual email address they’re sending from.

Try not to click or tap! If it’s a link and you’re on a computer, take advantage of your mouse’s hover to closely inspect the domain address before clicking on them.

Try not to download files from unfamiliar people. Avoid opening attachments from any external email addresses or phone numbers.

Get someone else’s opinion. Ask a coworker: Were we expecting an email from this sender? Or ask a friend: Does this email look strange to you? A good practice is to use a different medium to verify (for example, if you receive a strange email claiming to be your friend, try calling your friend over the phone to double-check that it’s from them).

For more tips—such as important preventative measures to these attacks, like backing up your data and updating your software—check out our Security Education Companion printable handout on malware and phishing, which is included at the end of this article.

Specific Scenarios to Watch For

Sometimes, malicious actors use phishing messages to get you to log into a service. They might provide a website that looks like a social media service you use, a service you use for work, or a critical website you use for payments and banking. However, sometimes, phishing messages are used to get you to download malware, or malicious software. We’ve included some more specific scenarios where we’ve seen COVID-19 themed phishing attacks and malware below.

Hospitals and Healthcare Workers at Risk

Hospitals in New York are notifying their staff about incoming cyber attacks, and have cited a few different common attack types that have already appeared, including:

a phishing email from a sender purporting to represent a well-known organization like the World Health Organization (WHO)

a phishing email claiming to be from the Centers for Disease Control and Prevention (CDC), providing vital information about how to prevent and treat COVID-19.

Some emails will carry attachments such as PDFs or Word document files that promise to carry that vital information, but actually have embedded malicious code that will infect your computer.

Another type of phishing campaign targeting hospitals comes from senders pretending to be medical suppliers. In the emails, they claim that their deliveries have been stalled or interrupted and require some action on behalf of the hospital staff to complete. The message body will provide a link that will take the recipient to a site that will then execute malicious code. When malicious code is installed on a computer, this could be used to steal important data or corrupt the disk. Two types of malware that are being especially used are trojans and ransomware:

Trojans: When downloaded, Trojan software may perform like the intended legitimate application, but is in fact doing malicious things in the background. An example in these COVID-19 emails is the use of the AzorUlt Trojan.

Ransomware: When downloaded, this malicious software holds a company, organization, or individual's data for ransom.

AzorUlt Trojan

Malwarebytes Labs reported finding variations of an AzorUlt trojan malware embedded in some of these attachments. The AzorUlt trojan is a flexible type of malware that commonly collects important data like browser history, passwords, and session cookies from the infected computer, then sends that to a command and control server elsewhere online. From there it could download and execute more malicious code, such as ransomware. This particular type of trojan is good at staying hidden, as its core function is to collect vital data from non-persistent memory on the infected machine, then quietly deliver that to its command and control server.

Krebs On Security recently documented that some phishing campaigns use a live interactive map of COVID-19 to distribute different variations of the same AzorUlt trojan. The map and interactive dashboard were developed by Johns Hopkins University, so visually these emails could appear valid and trustworthy even to a cautious eye.

Mobile Phone Ransomware

Sometimes, attackers might get you to download an application that pretends to be helpful or to provide critical medical information, but actually installs malware. A researcher at DomainTools recently reported on a distribution of Android ransomware that has been posing as a coronavirus update application. Upon downloading the app, it will encrypt and lock the user’s phone, demanding Bitcoin in ransom. Unfortunately for the developers of this malicious app (and luckily for affected users), a researcher at ESET Research discovered that the decryption key was hardcoded: anyone affected could use the same code to retrieve control of their phone. They published said key on Twitter.

Responding with Vigilance

As the world’s anxiety regarding coronavirus continues to escalate, the likelihood that otherwise more cautious digital citizens will click on a suspicious link is much higher. Even more unfortunate is that hospitals and medical facilities are already likely to fall victim to ransomware attacks. With a burgeoning global pandemic, the consequences of these attacks will be even more dire. And with medical staff already overburdened and overworked with the demands brought on by COVID-19, they will be more likely to be susceptible.

Despite these phishing campaigns taking advantage of headlines, so far they’re not really anything new. That makes detecting them easier. With appropriate caution, you can avoid these phishing strategies. For more information on how malware is installed (and how to avoid it), check out this malware and phishing handout from SEC.

Examples of COVID-19 Phishing Emails

Example 1

Hello.

We have urgent information about the CORONAVIRUS(COVID-19). VBS

presentation in rar.

The attachment contains a document with safety and coronavirus

prevention instructions,

also instructions from the U.S. Department of Health on how to get the

vaccine for FREE.

Send this information to all your loved ones as soon as possible.

rar password : 1234567

=================================

U.S. Department of Health & Human Services

200 Independence Avenue, S.W.

Washington, D.C. 20201

Toll Free Call Center: 1-800-368-1019

TTD Number: 1-800-537-7697

Example 2

(In this example, notice how the links they provide start with https;and not https:This is a common tactic of putting two very similar looking characters by each other so that the user won’t notice the difference and will click on the link before realizing it’s not what it appears to be)

The outbreak of Coronavirus is a rapidly developing situation and is likely to affect many travel plans over the coming months. We strongly recommend that anyone travelling or planning to travel takes guidance from the Foreign and Commonwealth office:

https;//eff.org/coronavirus-covid-19-information-for-the-staff

The WHO's designation of coronavirus as a pandemic yesterday has significant implications for the operation of insurance policy cover and these are clearly posing unprecedented challenges.

The team have put together some advice for you based on current activities:

I am travelling to a country where there has been an outbreak?

If the WHO advise against travel to the area you are visiting then in the first instance you should contact your travel operator or medical practitioner to reschedule or ask for a protective tips. MOST REPORTED CASES SAVES LIFES.

Kindly take a break and read the attached articles on our site and futher refrences on the issue for our staff

Example 3

(In this example provided by Abnormal Security, the target’s name and the university the sender is pretending to be from have been removed. The link directs the target to a page asking them to login to their Outlook account. This seemingly harmless login page is actually stealing those credentials.)

Related Updates

In the wake of nationwide protests against the police killings of George Floyd and Breonna Taylor, we urge protestors to stay safe, both physically and digitally. Our Surveillance Self Defense (SSD) Guide on attending a protest offers practical tips on how to maintain your privacy and minimize your digital...

Grassroots education is important for making sure advanced technical knowledge is accessible to communities who may otherwise be blocked or pushed out of the field. By sharing this invaluable knowledge and skills, local groups can address and dissolve these barriers to organizers hoping to step up their cybersecurity. The Electronic...

Grassroots activism, in its many forms, allows a community to mobilize around a shared set of ideals and creates an environment whereby participants can share information and resources to help facilitate the advancement of their common aims. The Electronic Frontier Alliance (EFA) is a grassroots network of community and campus...

Communities across the country are stepping up to self-organize mutual aid groups, uniting virtually to offer and coordinate support to those who are in need. In solidarity with the need for physical distancing, many people are organizing online using Google spreadsheets, Google forms, public posts on Twitter and Facebook, and...

A greater portion of the world’s work, organizing, and care-giving is moving onto digital platforms and tools that facilitate connection and productivity: video conferencing, messaging apps, healthcare and educational platforms, and more. It’s important to be aware of the ways these tools may impact your digital privacy and security during...

We can have beautiful cities without turning our cities into surveillance cities. Cities across the U.S. are forcing operators of shared bikes and scooters to use dangerous and privacy invasive APIs developed by the Los Angeles Department of Transportation. These APIs—collectively called the “mobility data specification,” or MDS—require that...

In response to an EFF campaign started last year, roughly a third of institutions that we believe requested problematic and exploitive data as part of a government automated tattoo recognition challenge deleted the data or reported that they had never received or used it. EFF has long been concerned...

A data privacy bill in Washington State has gained momentum. The bill, 2SSB 6281 (also known as the Washington Privacy Act, or WPA), has received widespread support from big tech companies. It’s no wonder they like it because, as currently written, the WPA would be a weak, token...